Crikey! Not Another One! Lessons Learned From Australia’s Wave of Breaches
In the last few months, the citizens of Australia have been harshly awoken to the real consequences of cybercrime. It all started in September 2022 when wireless services giant Optus announced it had suffered a data breach. The initial disclosure came from the CEO, and she explained that breach investigations were still ongoing but that ‘some’ customer information had been compromised. A few days later, this number grew to 10 million. In the aftermath of the attack, customers were informed that their passports, driving licences and PII had all been compromised, turning the incident into the worst in Australia’s history.
Yet, just a few weeks later, Australian citizens were hit again.
This time the breach related to insurance giant Medibank. When the breach was first announced, the company said no customer data had been compromised. Unfortunately, only a few days later, it turned out this statement was very optimistic. In fact, the data belonging to all four million customers was in the hands of attackers.
But that wasn’t the end.
A further breach was revealed in late October impacting the communications platform used by the Australian Department of Defence, which put current and former employee information at risk.
This spurred outrage across Australia. Suddenly the data belonging to 14 million citizens (over half the population) was in the hands of cybercriminals.
Citizens wanted to know why their data had been compromised and why security had not been in place to protect them. Was it a sustained and targeted attack on the country? Were the companies they had trusted with their data not taking the cyberthreat seriously?
So, what exactly were the key issues that put such large swaths of data at risk?
Government and Policy
One of the biggest concerns from customers of Optus was that so many former customers had their data compromised. The reason for this is that the Australian government does not require companies to delete the data they hold on former customers. Instead, government surveillance legislation actually encourages telecommunications providers to keep data on their customers for a minimum of two years.
In the UK this is strictly forbidden due to GDPR, where organisations can only store personal data no longer than necessary for the task performed. As a result, many cybersecurity experts believed the breach’s impact would have been far less severe if the government was focused more on citizens’ privacy rather than surveillance.
Furthermore, when it comes to organisations storing customer data, security frameworks are fairly loose. Organisations are required to collect highly sensitive information on citizens to prevent fraud, but when it comes to storing and securing that data, there is very little focus on privacy. Encryption is often viewed as a tool used by malicious actors, and genuine companies must abide by government legislation that requires law enforcement officials to have a backdoor into encrypted data, further jeopardising consumer privacy.
Incident Response
Another issue that was highlighted by the breaches was the fact that the Australian organisations didn’t have a process to understand the true scope of the breaches quickly. This led to inaccurate information being released around the scale of the breaches and victims being drip-fed information.
Two months on and information is still very murky. Yet the longer the breach investigations take, the longer people are at risk and the more damage the organisations are doing to their reputations.
So, what can we learn from the breaches that organisations can use to improve their security?
A Good Example of a Bad Example
The attacks in Australia have been great examples of very bad responses to cyberattacks.
When businesses fail to prepare for attacks, they give up their power to limit their impact. This is what seems to have happened with both Optus and Medibank. Instead, organisations should prepare for attacks and make this a critical part of their cybersecurity strategies.
Organisations must take time to not only improve their data security through strong, unique user passwords, implementing MFA, using privileged access management (PAM) to protect key accounts, deploying layered security to prevent lateral movement and training employees regularly on phishing and cybercrime, but they also must rehearse their response to incidents.
Cyberattacks are inevitable today, so having a well-practiced response for when they do threaten digital networks is essential. By carrying out ‘fire drill’ exercises, organisations will be able to contain an incident and understand its scope much faster.
The Recent Attacks in Australia Have Been a Wake-Up Call
The recent attacks have cast a spotlight on cybersecurity in Australia. Fortunately, the country is now taking action and reforming previous data privacy regulations to improve defences and protections.
But, in reality, it shouldn’t have taken half the country’s data being stolen for these changes to take place.
Let this be a lesson to other businesses and countries; when it comes to cyberattacks, there is no immunity and everyone is a target.
